mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-07 09:10:57 +01:00
"--ip" works now (see help)
little cleanups
This commit is contained in:
parent
46c43ee53f
commit
4432faf497
70
testssl.sh
70
testssl.sh
@ -130,14 +130,15 @@ HEXC=""
|
|||||||
NW_STR=""
|
NW_STR=""
|
||||||
LEN_STR=""
|
LEN_STR=""
|
||||||
SNI=""
|
SNI=""
|
||||||
IP4=""
|
|
||||||
IP6=""
|
|
||||||
OSSL_VER="" # openssl version, will be auto-determined
|
OSSL_VER="" # openssl version, will be auto-determined
|
||||||
OSSL_VER_MAJOR=0
|
OSSL_VER_MAJOR=0
|
||||||
OSSL_VER_MINOR=0
|
OSSL_VER_MINOR=0
|
||||||
OSSL_VER_APPENDIX="none"
|
OSSL_VER_APPENDIX="none"
|
||||||
HAS_DH_BITS=true
|
HAS_DH_BITS=true
|
||||||
|
NODE=""
|
||||||
NODEIP=""
|
NODEIP=""
|
||||||
|
IPADDRs=""
|
||||||
|
IP46ADDRs=""
|
||||||
VULN_COUNT=0
|
VULN_COUNT=0
|
||||||
readonly VULN_THRESHLD=1 # if bigger than this no we show a separate header in blue
|
readonly VULN_THRESHLD=1 # if bigger than this no we show a separate header in blue
|
||||||
IPS=""
|
IPS=""
|
||||||
@ -3106,6 +3107,7 @@ $PROG_NAME <options> URI ("$PROG_NAME URI" does everything except ciphers per
|
|||||||
|
|
||||||
<-t|--starttls> protocol does a default run against a STARTTLS enabled service
|
<-t|--starttls> protocol does a default run against a STARTTLS enabled service
|
||||||
<--mx> domain/host tests MX records from high to low priority (STARTTLS, port 25)
|
<--mx> domain/host tests MX records from high to low priority (STARTTLS, port 25)
|
||||||
|
<--ip> ipv4 takes ipv4 instead of resolving host in URI (supplied host name is vhost then)
|
||||||
|
|
||||||
|
|
||||||
partly mandatory parameters:
|
partly mandatory parameters:
|
||||||
@ -3306,8 +3308,8 @@ ignore_no_or_lame() {
|
|||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
# Parameters: 1 URI
|
# arg1: URI
|
||||||
# [2] protocol
|
# arg2: protocol
|
||||||
parse_hn_port() {
|
parse_hn_port() {
|
||||||
PORT=443 # unless otherwise auto-determined, see below
|
PORT=443 # unless otherwise auto-determined, see below
|
||||||
NODE="$1"
|
NODE="$1"
|
||||||
@ -3402,52 +3404,55 @@ parse_hn_port() {
|
|||||||
|
|
||||||
|
|
||||||
get_dns_entries() {
|
get_dns_entries() {
|
||||||
test4iponly=$(printf $NODE | sed -e 's/[0-9]//g' -e 's/\.//g')
|
local ip4=""
|
||||||
if [ "x$test4iponly" == "x" ]; then # only an IPv4 address was supplied
|
local ip6=""
|
||||||
IP4=$NODE
|
|
||||||
|
if [ -z "$(printf $NODE | sed -e 's/[0-9]//g' -e 's/\.//g')" ]; then
|
||||||
|
ip4=$NODE # only an IPv4 address was supplied as an argument, no hostname
|
||||||
SNI="" # override Server Name Indication as we test the IP only
|
SNI="" # override Server Name Indication as we test the IP only
|
||||||
else
|
else
|
||||||
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
|
# for security testing sometimes we have local entries. Getent is BS under Linux for localhost: No network, no resolution
|
||||||
IP4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
ip4=$(grep -w "$NODE" /etc/hosts | egrep -v ':|^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
||||||
if [ -z "$IP4" ]; then
|
if [ -z "$ip4" ]; then
|
||||||
if which host &> /dev/null && [ -z "$IP4" ] ; then
|
if which host &> /dev/null && [ -z "$ip4" ] ; then
|
||||||
IP4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
ip4=$(host -t a $NODE 2>/dev/null | grep -v alias | sed 's/^.*address //')
|
||||||
if echo "$IP4" | grep -q NXDOMAIN || echo "$IP4" | grep -q "no A record"; then
|
if echo "$ip4" | grep -q NXDOMAIN || echo "$ip4" | grep -q "no A record"; then
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
if [ -z "$IP4" ] ; then
|
if [ -z "$ip4" ] ; then
|
||||||
# MSYS2 has no host or getent, so we need nslookup
|
# MSYS2 has no host or getent, so we need nslookup
|
||||||
IP4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
ip4=$(nslookup $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
||||||
[ -z "$IP4" ] && return 2
|
[ -z "$ip4" ] && return 2
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
IP6=$(grep -w "$NODE" /etc/hosts | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
ip6=$(grep -w "$NODE" /etc/hosts | grep ':' | grep -v '^#' | egrep "[[:space:]]$NODE" | awk '{ print $1 }')
|
||||||
if [ -z "$IP6" ] ; then
|
if [ -z "$ip6" ] ; then
|
||||||
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
# for IPv6 we often get this :ffff:IPV4 address which isn't of any use
|
||||||
#which getent 2>&1 >/dev/null && IP6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
|
#which getent 2>&1 >/dev/null && ip6=$(getent ahostsv6 $NODE | grep $NODE | awk '{ print $1}' | grep -v '::ffff' | uniq)
|
||||||
if host -t aaaa $NODE &>/dev/null ; then
|
if host -t aaaa $NODE &>/dev/null ; then
|
||||||
IP6=$(host -t aaaa $NODE | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //')
|
ip6=$(host -t aaaa $NODE | grep -v alias | grep -v "no AAAA record" | sed 's/^.*address //')
|
||||||
else
|
else
|
||||||
IP6=""
|
ip6=""
|
||||||
fi
|
fi
|
||||||
# MSYS2 has no host or getent, so we need nslookup
|
# MSYS2 has no host or getent, so we need nslookup
|
||||||
if [ -z "$IP6" ] ; then
|
if [ -z "$ip6" ] ; then
|
||||||
IP6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
ip6=$(nslookup -type=aaaa $NODE 2>/dev/null | grep -A10 Name | grep -v Name | sed 's/^Address.*: .//')
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi # test4iponly
|
|
||||||
|
|
||||||
IPADDRs="$IP4"
|
IPADDRs="$ip4"
|
||||||
[ ! -z "$IP6" ] && IPADDRs="$IP4 $IP6"
|
[ ! -z "$ip6" ] && IP46ADDRs="$ip4 $ip6" || IP46ADDRs="$IPADDRs"
|
||||||
|
|
||||||
# FIXME: we could/should test more than one IPv4 addresses if available, same IPv6. For now we test the first IPv4:
|
# FIXME: we could/should test more than one IPv4 addresses if available, same IPv6. For now we test the first IPv4 or CMDLINE_IP:
|
||||||
NODEIP=$(echo "$IP4" | head -1)
|
NODEIP=$(echo "$ip4" | head -1)
|
||||||
|
[ -n "$CMDLINE_IP" ] && NODEIP="$CMDLINE_IP"
|
||||||
[ -z "$NODEIP" ] && return 3
|
[ -z "$NODEIP" ] && return 3
|
||||||
|
|
||||||
# we can't do this as some checks and even openssl are not yet IPv6 safe. BTW: bash sockets do IPv6 transparently!
|
# we can't do this as some checks and even openssl are not yet IPv6 safe. BTW: bash sockets do IPv6 transparently!
|
||||||
#NODEIP=$(echo "$IP6" | head -1)
|
#NODEIP=$(echo "$ip6" | head -1)
|
||||||
if which host &> /dev/null; then
|
if which host &> /dev/null; then
|
||||||
#rDNS=$(host -t PTR $NODEIP 2>/dev/null | grep -v "is an alias for" | sed -e 's/^.*pointer //' -e 's/\.$//')
|
#rDNS=$(host -t PTR $NODEIP 2>/dev/null | grep -v "is an alias for" | sed -e 's/^.*pointer //' -e 's/\.$//')
|
||||||
rDNS=$(host -t PTR $NODEIP 2>/dev/null | grep 'pointer' | sed -e 's/^.*pointer //' -e 's/\.$//')
|
rDNS=$(host -t PTR $NODEIP 2>/dev/null | grep 'pointer' | sed -e 's/^.*pointer //' -e 's/\.$//')
|
||||||
@ -3460,9 +3465,11 @@ get_dns_entries() {
|
|||||||
|
|
||||||
|
|
||||||
display_rdns_etc() {
|
display_rdns_etc() {
|
||||||
if [ $(printf "$IPADDRs" | wc -w) -gt 1 ]; then
|
local i
|
||||||
|
|
||||||
|
if [ $(printf "$IP46ADDRs" | wc -w) -gt 1 ]; then
|
||||||
out " further IP addresses: "
|
out " further IP addresses: "
|
||||||
for i in $IPADDRs; do
|
for i in $IP46ADDRs; do
|
||||||
[ "$i" == "$NODEIP" ] && continue
|
[ "$i" == "$NODEIP" ] && continue
|
||||||
out " $i"
|
out " $i"
|
||||||
done
|
done
|
||||||
@ -3487,7 +3494,6 @@ draw_dotted_line() {
|
|||||||
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
|
printf -- "$1"'%.s' $(eval "echo {1.."$(($2))"}")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
mx_all_ips() {
|
mx_all_ips() {
|
||||||
local mxs mx
|
local mxs mx
|
||||||
local mxport
|
local mxport
|
||||||
@ -3908,6 +3914,6 @@ fi
|
|||||||
|
|
||||||
exit $ret
|
exit $ret
|
||||||
|
|
||||||
# $Id: testssl.sh,v 1.274 2015/06/11 19:41:24 dirkw Exp $
|
# $Id: testssl.sh,v 1.275 2015/06/15 10:13:15 dirkw Exp $
|
||||||
# vim:ts=5:sw=5
|
# vim:ts=5:sw=5
|
||||||
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
# ^^^ FYI: use vim and you will see everything beautifully indented with a 5 char tab
|
||||||
|
Loading…
Reference in New Issue
Block a user